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Abstract. We provide here a computational interpretation of first-order logic 
based on a constructive interpretation of satisfiability w.r.t. a fixed but arbitrary in- 
terpretation. In this approach the formulas themselves are programs. This contrasts 
with the so-called formulas as types approach in which the proofs of the formulas 
are typed terms that can be taken as programs. This view of computing is inspired 
by logic programming and constraint logic programming but differs from them in 
a number of crucial aspects. 

Formulas as programs is argued to yield a realistic approach to programming 
that has been realized in the implemented programming language Alma-0 Apt, 
Brunekreef, Partington & Schaerf (1998) that combines the advantages of imper- 
ative and logic programming. The work here reported can also be used to reason 
about the correctness of non-recursive Alma-0 programs that do not include de- 
structive assignment. 



1.1 Introduction 

1.1.1 Logic Programming and Program Verification 

The logic programming paradigm in its original form (see Kowalski (1974)) 
is based on a computational interpretation of a subset of first-order logic that 
consists of Horn clauses. The proof theory and semantics for this subset has 
been well understood for some time already (see, e.g. Lloyd (1987)). 

However, the practice has quickly shown that this subset is too limited 
for the programming purposes, so it was extended in a number of ways, 
notably by allowing negation. This led to a long and still inconclusive quest 
for extending the appropriate soundness and completeness results to logic 
programs that allow negation (see, e.g. Apt & Bol (1994)). To complicate the 
matters further, Prolog extends logic programming with negation by several 
features that are very operational in nature. 

Constraint logic programming (see, e.g. Jaffar & Lassez (1987)) overcomes 
some of Prolog's deficiencies, notably its clumsy handling of arithmetic, by 
extending the computing process from the (implicit) domain of terms to 
arbitrary structures. 

Logic programming and constraint logic programming are two instances of 
declarative programming. According to declarative programming a program 
has a dual reading as a formula in a logic with a simple semantics. 

One of the important advantages of declarative programming is that, 
thanks to the semantic interpretation, programs are easier to understand, 
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modify and verify. In fact, the dual reading of a declarative program as a 
formula allows us to reason about its correctness by restricting our attention 
to a logical analysis of the corresponding formula. For each logical formalism 
such an analysis essentially boils down to the question whether the formula 
corresponding to the program is in an appropriate sense equivalent to the 
specification. 1 

However, in our opinion, we do not have at our disposal simple and intu- 
itive methods that could be used to verify in a rigorous way realistic "pure" 
Prolog programs (i.e. those that are also logic programs) or constraint logic 
programs. 

We believe that one of the reasons for this state of affairs is recursion, 
on which both logic programming and constraint logic programming rely. In 
fact, recursion is often less natural than iteration, which is a more basic con- 
cept. Further, recursion in combination with negation can naturally lead to 
programs that are not easily amenable to a formal analysis. Finally, recursion 
always introduces a possibility of divergence which explains why the study 
of termination is such an important topic in the case of logic programming 
(see, e.g., De Schreye & Decorte (1994)). 

1.1.2 First-order Logic as a Computing Mechanism 

Obviously, without recursion logic programming and constraint logic pro- 
gramming are hopelessly inexpressive. However, as we show in this paper, 
it is still possible to construct a simple and realistic approach to declarative 
programming that draws on the ideas of these two formalisms and in which 
recursion is absent. This is done by providing a constructive interpretation 
of satisfiability of first-order formulas w.r.t. to a fixed but arbitrary inter- 
pretation. Iteration is realized by means of bounded quantification that is 
guaranteed to terminate. 

More precisely, assuming a first-order language L, we introduce an ef- 
fective, though incomplete, computation mechanism that approximates the 
satisfiability test in the following sense. Given an interpretation I for L and a 
formula 4>(x) of L, assuming no abnormal termination in an error arises, this 
mechanism computes a witness a (that is, a vector of elements of the domain 

1 This can be made precise in the following way. Let x be the free variables of the 
specification (j> a , and y some auxiliary variables used in the program 4> p . Now 
correctness of the program with respect to the specification can be expressed by 
the sentence Vx ((By 4> p (x,y)) — > (p 3 (x)), to be valid under the fixed interpreta- 
tion. This sentence ensures that all solutions found by the program indeed satisfy 
the specification. Note that, under this definition, a program corresponding to a 
false formula is vacuously "correct" , because there are no solutions found. There- 
fore the stronger notion of correctness and completeness obtained by requiring 
also the converse implication above, and loosely phrased as "equivalence in an 
appropriate sense" , is the more adequate one. 
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of / such that <j)(a) holds in I) if cf){x) is satisfiable in /, and otherwise it 
reports a failure. 

The possibility of abnormal termination in an error is unavoidable because 
effectiveness cannot be reconciled with the fact that for many first-order lan- 
guages and interpretations, for example the language of Pcano arithmetic and 
its standard interpretation, the set of true closed formulas is highly undecid- 
able. As we wish to use this computation mechanism for executing formulas 
as programs, we spend here considerable effort at investigating the ways of 
limiting the occurrence of errors. 

From the technical point of view our approach, called formulas as pro- 
grams, is obtained by isolating a number of concepts and ideas present (of- 
ten implicitly) in the logic programming and constraint logic programming 
framework, and reusing them in a simple and self-contained way. In fact, 
the proposed computation mechanism and a rigorous account of its formal 
properties rely only on the basics of first-order logic. This contrasts with the 
expositions of logic programming and constraint logic programming which re- 
quire introduction of several concepts and auxiliary results (see for the latter 
e.g. Jaffar, Maher, Marriott & Stuckey (1998)). 

1.1.3 Computing Mechanism 

Let us explain now the proposed computation mechanism by means of an 
example. Consider the formula 

(x = 2Vx = 3)A(y = x + lV2 = y)A(2*x = 3*y) (1.1) 

interpreted over the standard structure of natural numbers. Is it satisfiable? 
The answer is "yes" : indeed, it suffices to assign 3 to a; and 2 to y. 

In fact, we can compute this valuation systematically by initially assigning 
2 to re and first trying the assignment of the value of x + 1, so 3, to y. As for 
this choice of value for y the equality 2 * x = 3 * y does not hold, we are led 
to the second possibility, assignment of 2 to y. With this choice 2 * x — 3 * y 
does not hold either. So we need to assign 3 to a; and, eventually, 2 to y. 

The above informal argument can be extended to a systematic procedure 
that attempts to find a satisfying valuation for a large class of formulas. 

1.1.4 Plan and Rationale of the Paper 

This paper is organized as follows. 

In Section 1.2 we provide a formal account of the proposed computation 
mechanism. In Section 1.3 we show that this approach is both correct (sound) 
and, in the absence of errors, complete. In the Appendix, Subsection 1.9.3, 
1.9.4, we investigate ways of limiting the occurrence of errors for the case of 
negation and implication. 
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For programming purposes first-order logic has limited expressiveness, 
so we extend it in Section 1.4 by a number of features that are useful for 
programming. This involves sorts (i.e., types), use of arrays and bounded 
quantifiers. The resulting fragment is surprisingly expressive and the under- 
lying computation mechanism allows us to interpret many formulas as highly 
non-trivial programs. 

As already mentioned above, formulas as programs approach to com- 
puting here discussed is inspired by logic programming and constraint logic 
programming but differs from them in a number of ways. 

For example, formula (1.1) cannot be interpreted as a logic programming 
query or run as a Prolog query. The reason is that the equality symbol in logic 
programming and Prolog stands for "is unifiable with" and the term 2 * x 
does not unify with 3 * y. In case of Prolog a possible remedy is to replace 
in (1.1) specific occurrences of the equality symbol by Prolog's arithmetic 
equality "=:=" or by the Prolog cvaluator operator is. The correct Prolog 
query that corresponds to formula (1.1) is then 

(X = 2 ; X = 3), (Y is X+l ; 2 = Y) , 2*X =:= 3*Y. 
(Recall that ";" stands in Prolog for disjunction and "," for conjunction.) 
This is clearly much less readable than (1.1) as three different kinds of 
equality-like relations are used here. 

A more detailed comparison with (constraint) logic programming and 
Prolog requires knowledge of the details of our approach and is postponed 
to Section 1.5. In principle, the formulas as programs approach is a variant 
of constraint logic programming in which both recursion and constraint han- 
dling procedures are absent, but the full first-order syntax is used. We also 
compare in Section 1.5 our formulas as programs approach with the formulas 
as types approach, also called the Curry-Howard-De Bruijn interpretation. 

The formulas as programs approach to programming has been realized in 
the programming language Alma-0 Apt et al. (1998) that extends imperative 
programming by features that support declarative programming. This shows 
that this approach, in contrast to logic programming and constraint logic 
programming, can easily be combined with imperative programming. So the 
introduced restrictions, such as lack of a constraint store, can be beneficial 
in practice. In Section 1.6 we summarize the main features of Alma-0. 

The work reported here can be used to provide logical underpinnings 
for a fragment of Alma-0 that does not include destructive assignment or 
recursive procedures, and to reason about programs written in this fragment. 
We substantiate the latter claim by presenting in Section 1.7 the correctness 
proof of a purely declarative Alma-0 solution to the well-known non-trivial 
combinatorial problem of partitioning a rectangle into a given set of squares. 

In conclusion, we provided here a realistic framework for declarative pro- 
gramming based on first-order logic and the traditional Tarskian semantics, 
which can be combined in a straightforward way with imperative program- 
ming. 
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1.2 Computation Mechanism 

Consider an arbitrary first-order language with equality and an interpretation 
for it. We assume in particular a domain of discourse, and a fixed signature 
with a corresponding interpretation of its elements in the domain. 

Definition 1 (valuation, assignment). A valuation is a finite mapping 
from variables to domain elements. Valuations will be denoted as single- 
valued sets of pairs x/d, where £ is a variable and d a domain element. We 
use a, a', f3, . . . for arbitrary valuations and call a 1 an extension of a when 
a C a', that is, every assignment to a variable by a also occurs in a'. Further, 
£ denotes the empty valuation. 

Let a be a valuation. A term t is a- closed if all variables of t get a value 
in a. In that case t a denotes the evaluation of t under a in the domain. More 
generally, for any expression E the result of the replacement of each a-closed 
term t by t a is denoted by E a . 

An a-assignment is an equation s = t one side of which, say s, is a variable 
that is not a-closed and the other side, t, is an a-closed term. 

In our setting, the only way to assign values to variables will be by evalu- 
ating an a-assignment as above. Given such an a-assignment, say x = t, we 
evaluate it by assigning to x the value t a . 

Definition 2 (formulas). In order to accommodate the definition of the 
operational semantics, the set of fomulas has an inductive definition which 
may look a bit peculiar. First, universal quantification is absent since we 
have no operational interpretation for it. Second, every formula is taken to 
be a conjunction, with every conjunct (if any) either an atomic formula (in 
short: an atom), or a disjunction, conjunction or implication of formulas, a 
negation of a formula or an existentially quantified formula. The latter two 
unary constructors are assumed to bind stronger then the previous binary 
ones. The atoms include equations of the form s = t, with s and t terms. 

For maximal clarity we give here an inductive definition of the set of 
formulas. In the operational semantics all conjunctions are taken to be right 
associative. 

1. The empty conjunction □ is a formula. 

2. If -0 is a formula and A is an atom, then A A ip is a formula. 

3. If tp, fa, fa are formulas, then (fa V fa) A ip is a formula. 

4. If tp, fa, fa are formulas, then (fa A fa) A ip is a formula. 

5. If tp, fa, fa are formulas, then (fa — > fa) A tp is a formula. 

6. If 0, tp are formulas, then ->(j) A "0 is a formula. 

7. If 0, tp are formulas, then 3x A tp is a formula. 

Definition 3 (operational semantics). The operational semantics of a 
formula will be defined in terms of a tree [0] Q depending on the formula 
and the (initial) valuation a. The root of [0] Q is labelled with the pair 
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<j>, a. All internal nodes of the tree \(j>\ a are labelled with pairs consisting of a 
formula and a valuation. The leaves of the tree [</>] Q are labelled with either 

• error (representing the occurrence of an error in this branch of the com- 
putation), or 

• fail (representing logical failure of the computation), or 

• a valuation (representing logical success of the computation and yielding 
values for the free variables of the formula that make the formula true). Kl 

It will be shown that valuations labelling success leaves are always exten- 
sions of the initial valuation. For a fixed formula, the operational semantics 
can be viewed as a function relating the initial valuation to the valuations 
labelling success leaves. 

We can now define the computation tree \4>\ a - The reader may consult 
first Fig. 1.1 to see such a tree for formula (1.1) and the empty valuation e. 



(y = x + 1 V 2 = y) A 2 * x = 3* y, {x/2} (j = i + 1 V 2 = j) A 2 »i = 3 t j/, {x/3} 



(x - 2 V x - 3) A (y = x + 1 V 2 = y) A 2 * x - 3 * y, e 




x = 2/\(y = x + lV2 = y)/\2*x = 3*y, e 



x = Z A (y = x + 1 \/ 2 = y) /\ 2 * x = 3 * y, e 





y = x + lA2*x = 3*y, {x/2} 



y = x + l/\2*x = 3*y, {x/3} 



2 = y/\2*x = 3*y, {x/2} 



2 = y/\2*x = 3*y, {x/3} 



2 * x = 3 * y, {x/2,y/3} 



2 * x = 3 * y, {x/3,y/4} 



2 * x = 3 * y, {x/2,y/2} 



2 * x = 3 * y, {x/3, y/2} 



fail fail fail {x/3, y/2} 

Fig. 1.1. The computation tree for formula (1) and valuation e. 
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Definition 4 (computation tree). The (computation) tree \<t>\ a is defined 
by lexicographic induction on the pairs consisting of the size of the formula cj>, 
and of the size of the formula 4>i for which <f> is of the form (f>i A ip, following 
the structure given by Definition 2. 

1. For the empty conjunction we define [D] a to be the tree with the root 
that has a success leaf a as its son: 

□ , a 



a 

2. If ip is a formula and A is an atom, then we distinguish four cases de- 
pending on the form of A. In all four cases [AAfl a is a tree with a root 
of degree one. 

• Atom A is a-closed and true. Then the root of \A A tpj a has [V>] Q as 
its subtree: 

A A ip, a 



bPla 

Atom A is a-closed and false. Then the root of [AA^] a has the 
failure leaf fail as its son: 

A A a 



• Atom A is not a-closed, but is 
of [iA^] a has the error leaf s 

A 



fail 

not an a-assignment. Then the root 
s its son: 

A ip, a 



error 

• Atom A is an a-assignmcnt s = t. Then either s or t is a variable 
which is not a-closed, say s = x with x not a-closed and t a-closed. 
Then the root of [A A has [^] tt , as its subtree, where a' extends 
a with the pair x/t a : 
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A A if;, a 



The symmetrical case is analogous. 
If tjj,(f)-i,4>2 are formulas, then we put [(0i V 02) A^] a to be the tree 
with a root of degree two and with left and right subtrees [0i A ip\ a and 
[02 A ipj a , respectively: 




Observe that 0i A ip and 02 A ip are smaller formulas than (0i V 02) A ip 
in the adopted lexicographic ordering. 

If ip, 4>i, <j>2 are formulas, then we put |(0i A 02) A ipj a to be the tree with 
a root of degree one and the tree [0i A ($2 A -0)] Q as its subtree: 

Oi A <p 2 ) Aip, a 



[01 A (02 A VOL 

This substantiates the association of conjunctions to the right as men- 
tioned in Definition 2. Note that, again, the definition refers to lexico- 
graphically smaller formulas. 
5. If -0, 0i, 02 are formulas, then we put [(0i — -> 02) A ip\ a to be a tree with 
a root of degree one. We distinguish three cases. 

• Formula 0i is a-closed and [0i] Q contains only failure leaves. Then 
the root of 

I(0i -> 02) A V] a has [V>] Q as its subtree: 

(0i ->■ 02) A ip, a 
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• Formula 0i is a-closed and [0i] Q contains at least one success leaf. 
Then the root of |(0i — > </> 2 ) A ip} a has [02 A ip} a as its subtree: 

(01 -^4>2) A V, « 



In all other cases the root of |(0i — > 02) A has the error leaf error 
as its son: 

(01 02) A V, ct 



error 

The above definition relies on the logical equivalence of 0i — > 02 and -i0i V 
0i , but avoids unnecessary branching in the computation tree that would 
be introduced by the disjunction. In the Appendix, Subsection 1.9.3, we 
explain how in the first case the condition that 0i is a-closed can be 
relaxed. 

6. If <f),ip are formulas, then to define [-10 A tjj} a we distinguish three cases 
with respect to 0. In all of them [-10 A ip} a is a tree with a root of degree 
one. 

• Formula is a-closed and [0] a contains only failure leaves. Then the 
root of [-10 A ip] a h as [tpj a as its subtree: 

-i0 A ip, a 



Formula is a-closed and [0] Q contains at least one success leaf. 
Then the root of [-10 A ip} a has the failure leaf fail as its son: 

-i0 A ip, a 



fail 

• In all other cases the root of [-10 A^| n has the error leaf error as its 
son: 
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->0 A ip, a 



error 

There are basically two classes of formulas in this contingency: 
those that are not a-closed and those for which [0] a contains no 
success leaf and at least one error leaf. In Subsection 1.9.3 we give 
some examples of formulas in the first class and show how in some 
special cases their negation can still be evaluated in a sound way. 
7. The case of 3a; 0A-0 requires the usual care with bound variables to avoid 
name clashes. Let a be a valuation. First, we require that the variable x 
does not occur in the domain of a. Second, we require that the variable x 
does not occur in ip. Both requirements are summarized by phrasing that 
x is fresh with respect to a and ip. They can be met by appropriately 
renaming the bound variable x. 

With x fresh as above we define [3a; A tpj a to be the tree with a root 
of degree one and A as its subtree: 

(3a;0) A ip, a 



[0 A VL 

Thus the operational semantics of 3x A ip is, apart from the root of 
degree one, identical to that ofcpAip. This should not come as a surprise, 
as 3a; A -0 is logically equivalent to 3x (0 A ip) when x does not occur 
in ip. 

Observe that success leaves of [0 A ip} a , and hence of [3a; A ip] a , may or 
may not contain an assignment for x. For example, 3a; x = 3Aip yields an 
assignment for x, but 3a; 3 = 3 A -0 does not. In any case the assignment 
for x is not relevant for the formula as a whole, as the bound variable x is 
assumed to be fresh. In an alternative approach, the possible assignment 
for x could be deleted. E3 

To apply the above computation mechanism to arbitrary first-order for- 
mulas we first replace all occurrences of a universal quantifier V by ->3-i and 
rename the bound variables so that no variable appears in a formula both 
bound and free. 

Further, to minimize the possibility of generating errors it is useful to 
delete occurrences of double negations, that is, to replace every subformula 
of the form -i-*ip by ip. 
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1.3 Soundness and Completeness 

The computation mechanism defined in the previous section attempts to find 
a valuation that makes the original formula true if this formula is satisfiable, 
and otherwise it reports a failure. The lexicographic ordering used in Defini- 
tion 3 guarantees that for any formula the computation tree is finite. In this 
section we prove correctness and completeness of this mechanism. 

We start with an easy lemma which is helpful to keep track of valuations, 
followed by a definition. 

Lemma 1. For every formula <fi and valuation a, \4>\ a contains only valua- 
tions extending a with pairs x/d, where x occurs free in (f> or appears exis- 
tentially quantified in <p. Moreover, if (p is a-closed then [</>] Q contains only 
valuations extending a with variables that appear existentially quantified in 

4>. 

Proof. By induction on the lexicographic ordering of formulas as given in 
Definition 4. M 

Definition 5 (status of computation tree). A computation tree is 

• successful if it contains a success leaf, 

• failed if it contains only failure leaves, 

• determined if it is either successful or failed, that is, it either contains a 
success leaf or contains only failure leaves. E3 

Note that according to this definition a successful tree can contain the error 
leaves. This means that the error leaves differ from Prolog's run-time errors. 
In fact, in a top-down implementation of the proposed computation mecha- 
nism the depth-first search traversal of a computation tree should not abort 
but rather backtrack upon encounter of such a leaf and continue, if possible, 
in a search for a successful leaf. 

We can now state the desired correctness result. 

Theorem 1 (Soundness). Let <j) be a formula and a a valuation. 

(i) If \4>\ a contains a success leaf labelled with a', then a' extends a and 

V(</>" ) is true. (In particular 3(4> a ) is true in this case.) 
(ii) If\<p\ a is failed, then 3((f> a ) is false. 

Proof. See Appendix, Subsection 1.9.1. E3 

The computation mechanism defined in Section 1.3 is obviously incom- 
plete due to the possibility of errors. The following results states that, in the 
absence of errors, this mechanism is complete. 

Theorem 2 (Restricted Completeness). Let (f> be a formula and a a 
valuation such that \<j)\ a is determined. 
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(i) Suppose that 3((f> a ) is true. Then the tree [0] Q is successful, 
(ii) Suppose that 3(</>") is false. Then the tree \<j>\ a is failed. 

Proof. See Appendix, Subsection 1.9.2. M 

Admittedly, this result is very weak in the sense that any computation 
mechanism that satisfies the above soundness theorem also satisfies the re- 
stricted completeness theorem. 

It is useful to point out that the computation mechanism of Section 1.2 
used in the above theorems is by no means a simple counterpart of the prov- 
ability relation of the first-order logic. 

For the sake of further discussion let us say that two formulas 4> an d i> 
are equivalent if 

• the computation tree [0] e is successful iff the computation tree [-0] e is 
successful and in that case both computation trees have the same set of 
successful leaves, 

• [</>] £ is failed iff [V>] e is failed. 

Then <f> A ip is not equivalent to ip A (p (consider x — OAx < 1 and x < 1A 
x = 0) and -■(</> A ip) is not equivalent to -x/> V -^ip (consider -i(x = OAx = 1) 
and -i(x = 0) V -<(x = 1). In contrast, <fi V ip is equivalent to ip V </>. 

We can summarize this treatment of the connectives by saying that we 
use a sequential conjunction and a parallel disjunction. The above notion of 
equivalence deviates from the usual one, for example de Morgan's Law is not 
valid. 

A complete axiomatization of the equivalence relation induced by the 
computation mechanism of Section 1.2 is an interesting research topic. 

1.4 Extensions 

The language defined up to now is clearly too limited as a formalism for 
programming. Therefore we discuss a number of extensions of it that are 
convenient for programming purposes. These are: non-recursive procedures, 
sorts (i.e., types), arrays and bounded quantification. 

1.4.1 Non- recursive Procedures 

We consider here non-recursive procedures. These can easily be introduced in 
our framework using the well-known extension by definition mechanism (see, 
e.g., Shoenfield (1967)[pages 57-58]). 

More specifically, consider a first-order formula -0 with the free variables 
xi, . . ., x n . Let p be a new n-ary relation symbol. Consider now the formula 
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that we call the definition of p. 

Suppose that, by iterating the above procedure, we have a collection P 
of definitions of relation symbols. We assume furthermore that the fixed but 
arbitrary interpretation has been extended with interpretations of the new 
relation symbols in such a way that all definitions in P become true. There 
is only one such extension for every initial interpretation. 

Let be a formula in the extended first-order language, that is, with 
atoms p(ti, . . .,t n ) from P included. We extend the computation mechanism 
Ma °f Section 1.2, by adding at the beginning of Clause 2 in Definition 4 
the following item for handling atoms p(t\, . . ., t n ) from P. 

• Atom A is of the form p{t\, . . ., t n ), where p is a defined relation symbol 
with the definition 

p(x 1 ,...,x n )^ipp. 
Then the root of {A A V>] a has \\p p {xi/t ll . . ., x n /t n } A tp] a as its subtree: 

A A tp, a 



{^{x-i/tx, . . .,x n /t n } A V] Q 

Here ip p {xi/t\, . . ., x n /t n } stands for the result of substituting in ip p the 
free occurrences of the variables x\,...,x n by t\, . . ., t n , respectively. 

The proof of the termination of this extension of the computation mech- 
anism introduced in Section 1.2 relies on a refinement of the lexicographic 
ordering used in Definition 4, taking into account the new atoms. 

The above way of handling defined relation symbols obviously corresponds 
to the usual treatment of procedure calls in programming languages. 

The soundness and completeness results can easily be extended to the 
case of declared relation symbols. In this version truth and falsity refer to 
the extended interpretation. 

So far for non-recursive procedures. 

1.4.2 Sorts 

In this subsection we introduce sorts (i.e., types). The extension of one-sorted 
to many-sorted first-order logic is standard. It requires a refinement of the 
notion of signature: arities are no longer just numbers, but have to specify 
the sorts of the arguments of the function and predicate symbols, as well as 
the sorts of the function values. Terms and atoms are well-formed if the sorts 
of the arguments comply with the signature. In quantifying a variable, its 
sort should be made explicit (or should at least be clear from the context). 
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Interpretations for many-sorted first-order languages are obtained by as- 
signing to each sort a non-empty domain and by assigning to each function 
symbol and each predicate symbol respectively an appropriate function and 
relation on these sorts. 

Sorts can be used to model various basic data types occurring in program- 
ming practice: integers, booleans, characters, but also compound data types 
such as arrays. 

1.4.3 Arrays 

Arrays can be modelled as vectors or matrices, using projection functions 
that are given a standard interpretation. Given a sort for the indices (typ- 
ically, a segment of integers or a product of segments) and a sort for the 
elements of the array, we add a sort for arrays of the corresponding type 
to the signature. We also add to the language array variables, or arrays for 
short, to be interpreted as arrays in the standard interpretation. 

We use the letters a, b, c to denote arrays and to distinguish arrays from 
objects of other sorts. We write a\t\, . . ., t n ] to denote the projection of the 
array a on the index [ti,...,t n ], akin to the use of subscripted variables 
in programming languages. The standard interpretation of each projection 
function maps a given array and a given index to the correct element. Thus 
subscripted variables are simply terms. These terms are handled by means of 
an extension of the computation mechanism of Section 1.2. 

A typical example of the use of such a term is the formula a [0,0] = 1, 
which should be matched with the formula x — 1 in the sense that the 
evaluation of each equality can result in an assignment of the value 1 to a 
variable, either a[0, 0] or x. So we view a[0, 0] as a variable and not as a 
compound term. 

To this end we extend a number of notions introduced in the previous 
section. 

Definition 6. An array valuation is a finite mapping whose elements are of 
the form a[d\, . . ., d n ]/d, where a is an n-ary array symbol and d\, . . ., d n , d 
are domain elements. An extended valuation is a finite mapping that is a 
union of a valuation and an array valuation. H 

The idea is that an element a[di, . . ., d n ]/d of an array valuation as- 
signs the value d to the (interpretation of) array a applied to the argu- 
ments di,...,d n - Then, if the terms t\,...,t n evaluate to the domain elements 
d\, . . .,d n respectively, the term a[ti, . . -,t n ] evaluates to d. This simple in- 
ductive clause yields an extension of the notion of evaluation t Q , where a is 
an extended valuation, to terms t in the presence of arrays. The notions of 
an a-closed term and an a-assignment are now somewhat more complicated 
to define. 

Definition 7. Consider an extended valuation a. 
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• A variable x is a-closed if for some d the pair x/d is an element of a. 

• A term f(t\, . . -,t n ), with / a function symbol, is a-closed if each term 
ti is a-closed. 

• A term a[t\, . . .,t n ] is a-closed if each term ti is a-closed and evaluates 
to a domain element di such that for some d the pair a[d\, . . ., d n ]/d is an 
element of a. 

An equation ,s = t is an a- assignment if either 

• one side of it, say s, is a variable that is not a-closed and the other, t, is 
an a-closed term, or 

• one side of it, say s, is of the form a[t\, . . ., t n ], where each ti is a-closed 
but a[t±, . . ., t n ] is not a-closed, and the other, t, is an a-closed term. E3 

The idea is that an array a can be assigned a value at a selected po- 
sition by evaluating an a-assignmcnt a[ti, . . .,t n ] = t. Assuming the terms 
ti, . . ., t n , t are a-closed and evaluate respectively to d\, . . ., d n , d, the evalua- 
tion of a[ti, . . .,t n ] = t results in assigning the value d to the array a at the 
position d\, . . ., d n . 

With this extension of the notions of valuation and a-assignment we can 
now apply the computation mechanism of Section 1.2 to first-order formulas 
with arrays. The corresponding extensions of the soundness and completeness 
theorems of Section 1.3 remain valid. 

1.4.4 Bounded quantification 

In this subsection we show how to extend the language with a form of bounded 
quantification that essentially amounts to the generalized conjunction and 
disjunction. We treat bounded quantification with respect to the integer num- 
bers, but the approach can easily be generalized to data types with the same 
discrete and ordered structure as the integers. 

Definition 8 (bounded quantification). Let a be a valuation and let 
<p(x) be a formula with x not occurring in the domain of a. Furthermore, let 
s, t be terms of integer type. We assume the set of formulas to be extended 
in such a way that also 3x G [s..t] 4>{x) and Vx G [s..t] 4>{x) are formulas. The 
computation trees of these formulas have a root of degree one and depend on 
s and t in the following way. 

• If s or t is not a-closed, then the roots of both [3a; G [s..t] 4>{x)\ a and 
[Vx G [s..t] 4>{x)\ a have the error leaf error as its son. 

• If s and t are a-closed and s a > t a , then the root of [3x G [s..t] 4>{x)} a 
has the failure leaf fail as its son and the root of [Vx G [s..t] <j>(x)J a has 
a success leaf a as its son. 

• If s and t are a-closed and s a < t a , then 

- the root of [3x G [s..t] <f>(x)} a has [0(x) V 3y G [s+l..t] 4>{y)j aU{x/sa} 
as its subtree, 
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- the root of [Vx G [a..t] 4>{x)j a has [<j>{x) A V?y e [s+l..t] <t>(y)l aU{x/s « } 
as its subtree. 

In both cases y should be a fresh variable with respect to a, <p(x) in order 
to avoid name clashes. 

The soundness and completeness results can easily be extended to include 
bounded quantification. E3 

1.5 Relation to Other Approaches 

The work here discussed is related in many interesting ways to a number of 
seminal papers on logic, logic programming and constraint logic program- 
ming. 

1.5.1 Definition of Truth compared to Formulas as Programs 

First, it is instructive to compare our approach to the inductive definition 
of truth given in Tarski (1933). This definition can be interpreted as an 
algorithm that, given a first-order language L, takes as input an interpretation 
I of L and a formula <j> of L, and yields as output the answer to the question 
whether the universal closure of </> is true in /. This algorithm is not effective 
because of the way quantifiers are dealt with. This is unavoidable since truth 
is undecidable for many languages and interpretations, for instance Peano 
arithmetic and its standard model. 

In the formulas as programs approach the initial problem is modified in 
that one asks for a constructive answer to the question whether a formula is 
satisfiable in an interpretation. The algorithm proposed here is effective at 
the cost of occasionally terminating abnormally in an error. 

1.5.2 Relation to Logic Programming 

Some forty years later, in his seminal paper Kowalski (1974) proposed to use 
first-order logic as a computation formalism. This led to logic programming. 
However, in spite of the paper's title, only a subset of first-order logic is 
used in his proposal, namely the one consisting of Horn clauses. This restric- 
tion was essential since what is now called SLD-resolution was used as the 
computation mechanism. 

In the discussion we first concentrate on the syntax matters and then 
focus on the computation mechanism. 

The restriction of logic programs and goals to Horn clauses was gradually 
lifted in Clark (1978), by allowing negative literals in the goals and in clause 
bodies, in Lloyd & Topor (1984), by allowing arbitrary first-order formulas as 
goals and clause bodies, and in Lobo, Minker & Rajasekar (1992) by allowing 
disjunctions in the clause heads. In each case the computation mechanism of 



1 Formulas as Programs 17 



SLD-resolution was suitably extended, either by introducing the negation as 
failure rule, or by means of transformation rules, or by generalizing so-called 
linear resolution. 

From the syntactic point of view our approach is related to that of Lloyd 
& Topor (1984). Appropriate transformation rules are used there to get rid 
of quantifiers, disjunctions and the applications of negation to non-atomic 
formulas. So these features of first-order logic are interpreted in an indirect 
way. It is useful to point out that the approach of Lloyd & Topor (1984) was 
implemented in the programming language Godel of Hill & Lloyd (1994). 

Further, it should be noted that bounded quantifiers and arrays were also 
studied in logic programming. In particular, they are used in the specification 
language Spill of Kluzniak & Milkowska (1997) that allows us to write exe- 
cutable, typed, specifications in the logic programming style. Other related 
references are Voronkov (1992), Barklund & Bevemyr (1993) and Apt (1996). 

So from the syntactic point of view our approach does not seem to differ 
from logic programming in an essential way. The difference becomes more 
apparent when we analyze in more detail the underlying computation mech- 
anism. 

To this end it is useful to recall that in logic programming the comput- 
ing process takes place implicitly over the free algebra of all terms and the 
values are assigned to variables by means of unification. The first aspect can 
be modelled in the formulas as programs approach by choosing a term inter- 
pretation, so an interpretation the domain D of which consists of all terms 
and such that each n-ary function symbol / is mapped to a function frj that 
assigns to elements (so terms) ti,...,t n of D the term f(ti, . . ., t n ). With this 
choice our use of a-assignment boils down to an instance of matching which 
in turn is a special case of unification. 

Unification in logic programming can be more clearly related to equality 
by means of the so-called homogenization process the purpose of which is to 
remove non-variable terms from the clauses heads. For instance, 

append(xl,ys,zl) <- xl=[x|xs], zl=[x|zs], append(xs,ys,zs) 
is a homogenized form of the more compact clause 

append ( [x|xs] ,ys, [x|zs] ) <- append (xs,ys,zs). 
To interpret the equality in the right way the single clause 

x = x <- 

should then be added. This enforces the "is unifiable with" interpretation of 
equality. So the homogenization process reveals that logic programming relies 
on a more general interpretation of equality than the formulas as programs 
approach. It allows one to avoid generation of errors for all equality atoms. 

In conclusion, from the computational point of view, the logic program- 
ming approach is at the same time a restriction of the formulas as programs 
approach to the term interpretations and a generalization of this approach 
in which all equality atoms can be safely evaluated. 
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1.5.3 Relation to Pure Prolog 

By pure Prolog we mean here a subset of Prolog formed by the programs and 
goals that are Horn clauses. 

Programming in Prolog and in its pure subset relies heavily on lists and 
recursion. As a result termination is one of the crucial issues. This led to an 
extensive study of methods that allow us to prove termination of logic and 
Prolog programs (see De Schreye & Decorte (1994) for a survey of various 
approaches). 

In contrast, our approach to programming is based on arrays and itera- 
tion that is realized by means of bounded quantification. These constructs 
are guaranteed to terminate. In fact, it is striking how far one can go in pro- 
gramming in this style without using recursion. If the reader is not convinced 
by the example given of Section 1.7 below, he/she is invited to consult other 
examples in Voronkov (1992) and Apt et al. (1998). 

In the formulas as programs approach the absence of recursion makes it 
possible to analyze queries without explicit presence of procedures, by sys- 
tematically replacing procedures by their bodies. This allows us to represent 
each program as a single query and then rely on the well-understood Tarskian 
semantics of first-order logic. 

In the standard logic programming setting very few interesting programs 
can be represented in this way. In fact, as soon as recursion is used, a query 
has to be studied in the context of a program that defines the recursive pro- 
cedures. As soon as negation is also present, a plethora of different semantics 
arises — see e.g. Apt & Bol (1994). Finally, in the presence of recursion it is 
difficult to account for Prolog's selection rule in purely semantic terms. 

1.5.4 Relation to Pure Prolog with Arithmetic 

By pure Prolog with arithmetic we mean here an extension of pure Prolog 
by features that support arithmetic, so Prolog's arithmetic relations such as 
"=:=" and the Prolog evaluator operator is. 

These features allow us to compute in the presence of arithmetic but in a 
clumsy way as witnessed by the example of formula (1.1) of Subsection 1.1.3 
and its elaborated representation in Prolog in Subsection 1.1.4. 

Additionally, a possibility of abnormal termination in an error arises. 
Indeed, both arithmetic relations and the is operator introduce a possibility 
of run-time errors, a phenomenon absent in pure Prolog. For instance, the 
query X is Y yields an error and so does X =:= Y. 

In contrast, in the formulas as programs approach arithmetic can be sim- 
ply modelled by adding the sorts of integers and of reals. The a-assignment 
then deals correctly with arithmetic expressions because it relies on auto- 
matic evaluation of terms. This yields a simpler and more uniform approach 
to arithmetic in which no new special relation symbols are needed. 
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1.5.5 Relation to Constraint Logic Programming 

The abovementioned deficiencies of pure Prolog with arithmetic have been 
overcome in constraint logic programming, an approach to computing that 
generalizes logic programming. In what follows we concentrate on a specific 
approach, the generic scheme CLP(X) of Jaffar & Lassez (1987) that gener- 
alizes pure Prolog by allowing constraints. In this scheme atoms are divided 
into those defined by means of clauses and those interpreted in a direct way. 
The latter ones are called constraints. 

In CLP(X), as in our case, the computation is carried out over an ar- 
bitrary interpretation. At each step (instead of the unification test of logic 
programming and its application if it succeeds) satisfiability of the so far en- 
countered constraints is tested. A computation is successful if the last query 
consists of constraints only. 

There are two differences between the formulas as programs approach 
and the CLP(X) scheme. The first one has to do with the fact that in our 
approach full first-order logic is allowed, while in the latter — as in logic 
programming and pure Prolog — Horn clauses are used. 

The second one concerns the way values are assigned. In our case the only 
way to assign values to variables is by means of an a-assignment, while in 
the CLP(X) scheme satisfiability of constraints guides the computation and 
output is identified with a set of constraints (that still have to be solved or 
normalized). 

The CLP(X) approach to computing has been realized in a number of 
constraint logic programming languages, notably in the CLP (TV) system of 
Jaffar, Michayov, Stuckey & Yap (1992) that is an instance of the CLP(X) 
scheme with a two-sorted structure that consists of reals and terms. In this 
system formula (1.1) of Subsection 1.1.3 can be directly run as a query. 

Once negation is added to the CLP(X) scheme (it is in fact present in 
CLP (TZ)), the extension of the CLP(X) syntax to full first-order logic could 
be achieved by using the approach Lloyd & Topor (1984) or by extending the 
computation mechanism along the lines of Section 1.2. 

So, ignoring the use of the first-order logic syntax in the formulas as 
programs approach and the absence of (recursive) procedures that could be 
added to it, the main difference between this approach and the CLP(X) 
scheme has to do with the fact that in the former only very limited constraints 
are admitted, namely ground atoms and a-assignments. In fact, these are the 
only constraints that can be resolved directly. 

So from this point of view the formulas as programs approach is less gen- 
eral than constraint logic programming, as embodied in the CLP(X) scheme. 
However, this more limited approach does not rely on the satisfiability pro- 
cedure for constraints (i.e., selected atomic formulas), or any of its approxi- 
mations used in specific implementations. In fact, the formulas as programs 
approach attempts to clarify how far constraint logic programming approach 
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can be used without any reliance on external procedures that deal with con- 
straint solving or satisfiability. 

1.5.6 Formulas as Programs versus Formulas as Types 

In the so-called formulas as types approach, also called the Curry-Howard-De 
Bruijn interpretation (see e.g. Troelstra & van Dalen (1988)) (constructive) 
proofs of a formula are terms whose type is the formula in question. The type 
corresponding to a formula can thus be viewed as the (possibly empty) set 
of all proofs of the formula. Here 'proof refers to an operational notion of 
proof, in which 

• a proof of <p V ip is either left(p) with p a proof of <p, or right(p) with p 
a proof of ip; 

• a proof of 4> A ip is a pair (p 7 q) consisting of a proof p of <p and and a 
proof q of ip; 

• a proof of an implication <j> — > ip is a function that maps proofs of <p to 
proofs of ip; 

• a proof of Va; <p(x) is a function that maps domain elements d to proofs 
of 0(d); 

• a proof of 3x <p(x) is of the form ex(d,p) with domain element d a witness 
for the existential statement, and p a proof of <p{d). 

Such proofs can be taken as programs. For example, a constructive proof 
of Va; 3y (p(x, y) is a function that maps d to an expression of the form 
ex(ed,Pd) with p^ a proof of <p{d, e^). After extraction of the witness ea the 
proof yields a program computing a from d. 

The main difference between formulas as types and formulas as programs 
is that in the latter approach not the proofs of the formulas, but the formulas 
themselves have an operational interpretation. To illustrate this difference, 
consider the computation tree of formula (1.1) in Fig. 1.1 with its proof: 

ex(3, ex(2, (right(p 3 = 3 ), (right(p 2 =2) , f>2*3=3*2»)) 

Here pa is a proof of A, for each true closed atom A. 

Observe that in the above proof the witnesses 3 and 2 for x and y, re- 
spectively, have to be given beforehand, whereas in our approach they are 
computed. In the formulas as programs approach the proofs are constructed 
in the successful branches of the computation tree and the computation is 
guided by the search for such a proof. Apart from differences in syntax, the 
reader will recognize the above proof in the successful branch of Figure 1.1. 

Given the undecidability of the first-order logic, there is a price to be paid 
for formulas programs. It consists of the possibility of abnormal termination 
in an error. 
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1.6 Alma-0 

We hope to have convinced the reader that the formulas as programs ap- 
proach, though closely related to logic programming, differs from it in a 
number of crucial aspects. 

This approach to programming has been realized in the implemented pro- 
gramming language Alma-0 (Apt et al. 1998). A similar approach to program- 
ming has been taken in the 2LP language of McAloon & Tretkoff (1995). 
2LP (which stands for "logic programming and linear programming") uses 
C syntax and has been designed for constraint programming in the area of 
optimization. 

Alma-0 is an extension of a subset of Modula-2 that includes nine new 
features inspired by the logic programming paradigm. We briefly recall those 
that are used in the sequel and refer to Apt et al. (1998) for a detailed 
presentation. 

• Boolean expressions can be used as statements and vice versa. A boolean 
expression that is used as a statement and evaluates to FALSE is identified 
with a failure. 

• Choice points can be created by the non-deterministic statements ORELSE 
and SOME. The former is a dual of the statement composition and the 
latter is a dual of the FOR statement. Upon failure the control returns 
to the most recent choice point, possibly within a procedure body, and 
the computation resumes with the next branch in the state in which the 
previous branch was entered. 

• The notion of initialized variable is introduced and the equality test is 
generalized to an assignment statement in case one side is an uninitialized 
variable and the other side an expression with known value. 

• A new parameter passing mechanism, call by mixed form, denoted by 
the keyword MIX, is introduced for variables of simple type. It works as 
follows: If the actual parameter is a variable, then it is passed by variable. 
If the actual parameter is an expression that is not a variable, its value is 
computed and assigned to a new variable v (generated by the compiler) : 
it is v that is then passed by variable. So in this case the call by mixed 
form boils down to call by value. Using this parameter mechanism we can 
pass both expressions with known values and uninitialized variables as 
actual parameters. This makes it possible to use a single procedure both 
for testing and computing. 

For efficiency reasons the Alma-0 implementation does not realize faith- 
fully the computation mechanism of Section 1.2 as far as the errors are con- 
cerned. First, an evaluation of an atom that is not a-closed and is not an 
a-assignment yields a run-time error. On the other hand, in the other two 
cases when the evaluation ends with the error leaf, in the statements NOT S 
and IF S THEN T END, the computation process of Alma-0 simply proceeds. 



22 



Krzysztof R. Apt and Marc Bezem 



The rationale for this decision is that the use of insufficiently instanti- 
ated atoms in Alma-0 programs is to be discouraged whereas the catching 
of other two cases for errors would be computationally prohibitive. In this 
respect the implementation of Alma-0 follows the same compromise as the 
implementations of Prolog. 

We now associate with each first-order formula <f> an Alma-0 statement 
T{4>). This is done by induction on the structure of the formula (f>. The 
translation process is given in Table 1.1. 



Formula 


Alma-0 construct 


A (atom) 


A 


4>i v 4>2 


EITHER T(0i) ORELSE T(<j> 2 ) END 


4>i a 4>2 


T(0i);T(fc) 




IF T 0) THEN T (ip) END 




NOT T (0) 


3x(f>(x,y) 


p(y), where the procedure p is defined by 




PROCEDURE p(MIX y : f); 




VAR x : T; 




BEGIN 








END; 




where T is the type (sort) of the variable x and 




T is the sequence of types of the variables in y. 


Jx e [s..t]4> 


SOME x := s TO t DO T (0) END 


Mx € [s..t]<f> 


FOR x := s TO t DO T(4>) END 



Table 1.1. Translation of formulas into Alma-0 statements. 



This translation allows us to use in the sequel Alma-0 syntax to present 
specific formulas. 

1.7 Example: Partitioning a Rectangle into Squares 

To illustrate the Alma-0 programming style and the use of formulas as pro- 
grams approach for program verification, we consider now the following vari- 
ant of a problem from Honsberger (1970, pages 46-60). 

Squares in the rectangle. Partition an integer sized nx x ny rectangle into 
given squares Si, ... , S m of integer sizes Si, . . . , s m . 

We develop a solution that, in contrast to the one given in Apt et al. (1998), 
is purely declarative. To solve this problem we use a backtracking algorithm 
that fills in all the cells of the rectangle one by one, starting with the left 
upper cell and proceeding downward in the leftmost column, then the next 
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column, and so on. The algorithm checks for each cell whether it is already 
covered by some square used to cover a previous cell. Given the order in 
which the cells are visited, it suffices to inspect the left neighbour cell and 
the upper neighbour cell (if these neighbours exist). This is done by the test 

((1 < i) AND (i < RightEdge[i - 1, j])) OR 
((1 < j) AND (j < LowerEdge[i, j - 1])). 

Here [i,j] is the index of the cell in question, and RightEdge [i-1 , j] is 
the right edge of the square covering the left neighbour ([i-1, j] , provided 
i > 1), and LowerEdge[i, j-1] is the lower edge of the square covering 
the upper neighbour ([i,j-l], provided j > 1). The cell under considera- 
tion is already covered if and only if the test succeeds. If it is not covered, 
then the algorithm looks for a square not yet used, which is placed with its 
top- left corner at [i,j] provided the square fits within the rectangle. The 
algorithm backtracks when none of the available squares can cover the cell 
under consideration without sticking out of the rectangle. See Figure 1.2. 



ny 
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Fig. 1.2. Example of values of RightEdge (left diagram) and LowerEdge (right 
diagram) , respectively. Entry * is indexed by [2,4]. It is not covered already since 
neither 2 < RightEdge[l, 4] — 2 nor 4 < LowerEdge[2, 3] = 4. 



In test (1.2) we used the AND and OR connectives instead of the ";" and 
ORELSE constructs for the following reason. In case all variables occurring in 
a test are instantiated, some optimizations arc in order. For example, it is 
not necessary to backtrack within the test, disjunctions do not have to create 
choice points, and so on. The use of AND and OR enables the compiler to apply 
these optimizations. 

Backtracking is implemented by a SOME statement that checks for each 
square whether it can be put to cover a given cell. The solution is returned 
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via two arrays posX and posY such that for square Sk (of size Sizes [k] ) 
posX [k] , posY [k] are the coordinates of its top-left corner. 

The two equations posX [k] = i and posY [k] = j are used both to con- 
struct the solution and to prevent using an already placed square again at a 
different place. 

The declaration of the variables posX and posY as MIX parameters allows 
us to use the program both to check a given solution or to complete a partial 
solution. 

TYPE SquaresVector = ARRAY [1..M] OF INTEGER; 

PROCEDURE Squares (Sizes : SquaresVector , MIX posX, posY: SquaresVector) ; 

VAR RightEdge , LowerEdge : ARRAY [1 . .NX] , [1 . .NY] OF INTEGER; 
i,il, j,jl, k: INTEGER; 

BEGIN 

FOR i := 1 TO NX DO 
FOR j := 1 TO NY DO 

IF NOT (* cell [i,j] already covered? *) 

(((1 < i) AND (i < RightEdge [i-1, j] )) OR 
((1 < j) AND (j < LowerEdge[i, j-1]))) 
THEN 

SOME k := 1 TO M DO 
PosX[k] = i; 

PosY[k] = j; (* square k already used? *) 

Sizes [k] + i <= NX + 1; 

Sizes [k] + j <= NY + 1; (* square k fits? *) 

FOR il := 1 TO Sizes [k] DO 
FOR jl := 1 TO Sizes [k] DO 

RightEdge [i+il-l,j+j 1-1] = i+Sizes [k] ; 
LowerEdge [i+il-l,j+j 1-1] = j+Sizes[k] 
END (* complete administration *) 

END 
END 
END 
END 
END 
END Squares; 

This program is declarative and consequently has a dual reading as the 
formula 



Vi £ [l..nx] Wj £ [l..ny] 

->(1 < i < RightEdge j] V 1 < j < LowerEdge [i, j-1]) 
3k £ [l..m] <f>(i,j,k), 
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where <fi(i,j, k) is the formula 

PosX[fc] = i A PosY[fc] = j A 

Sizes[/c]+z < nx+1 A Sizes[fc]+j < ny+1 A ip(i, j, k) 
and ip(i,j, k) is the formula 

W G [L.Sizes(fc)] V/ G [l..Sizes(fc)] 
RightEdge[i+z'-l, j+j'-l] = i+Sizes[fc] A 
LowerEdge[z+z' — 1, j+j'— 1] = j+Sizes[fc] 

This dual reading of the program entails over the standard interpretation the 
formula 

Vz G [L.Tia;] Vj G [l..ny] 3fc G [l..m] 

PosX[fc] < i < PosX[/c]+Sizes[/c] < nx+1 A 

PosY[fc] < j < PosY[A:]+Sizes[fc] < ny+1 (1.2) 

expressing that every cell is covered by a square. The entailment is not trivial, 
but can be made completely rigorous. The proof uses arithmetic, in particular 
induction on lexicographically ordered pairs This entailment actually 

means that the program satisfies its specification, that is, if the computation 
is successful, then a partition is found (and can be read off from PosX[fc] and 
PosY[fc]). The latter fact relies on the Soundness Theorem 1. 

Conversely, assuming that the surfaces of the squares sum up exactly to 
the surface of the rectangle, the specification (1.2) entails the formula cor- 
responding to the program, with suitable values for RightEdge, LowerEdge. 
Furthermore, the absence of errors can be established by lexicographic in- 
duction. This ensures that the computation tree is always determined. By 
the Completeness Theorem 2, one always gets an answer. If this answer is 
negative, that is, if the computation tree is failed, then by the Soundness 
Theorem 1 the formula corresponding to the program cannot be satisfied, 
and hence (1.2) cannot be satisfied. 

1.8 Current and Future Work 

The work here presented can be pursued in a number of directions. We listed 
here the ones that seem to us most natural. 
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Recursive procedures The extension of the treatment of non-recursive pro- 
cedures in Subsection 1.4.1 to the case of recursive procedures is far from 
obvious. It requires an extension of the computation mechanism to one with 
possible non-terminating behaviour. This could be done along the lines of Apt 
& Doets (1994) where the SLDNF-resolution of logic programs with negation 
is presented in a top down, non-circular way. 

Also, on the semantic level several choices arise, much like in the case 
of logic programming, and the corresponding soundness and completeness 
results that provide a match between the computation mechanism and se- 
mantics need to be reconsidered from scratch. 

Constraints As already said in Subsection 1.5.5, the formulas as programs ap- 
proach can be seen as a special case of constraint logic programming, though 
with a full first-order syntax. It is natural to extend our approach by allow- 
ing constraints, so arbitrary atoms that have no definition in the sense of 
Subsection 1.4.1. The addition of constraints will require on the computation 
mechanism level use of a constraint store and special built-in procedures that 
approximate the satisfiability test for conjunctions of constraints. 

Automated Verification The correctness proof presented in Section 1.7 was 
carried out manually. It boils down to a proof of validity of an implication 
between two formulas, This proof is based on an lexicographic ordering os it 
should be possible to mechanize this proof. This would lead a fully mechanized 
correctness proof of the Alma-0 program considered there. 

Relation to Dynamic Predicate Logic In Groenendijk & Stokhof (1991) an 
alternative "input-output" semantics of first-order logic is provided. In this 
semantics both the connectives and the quantifiers obtain a different, dy- 
namic, interpretation that better suits their use for natural language analysis. 
This semantic is highly nondeterministic due to its treatment of existential 
quantifiers and it does not take into account a possibility of errors. 

It is natural to investigate the precise connection between this semantics 
and our formulas as programs approach. A colleague of us, Jan van Eijck, has 
recently undertook this study. Also, it would be useful to clarify to what ex- 
tent our approach can be of use for linguistic analysis, both as a computation 
mechanism and as a means for capturing errors in discourse analysis. 

Absence of abnormal termination Another natural line of research deals with 
the improvements of the computation mechanism in the sense of limiting 
the occurrence of errors while retaining soundness. In Appendix, Subsec- 
tions 1.9.3 and 1.9.4 we consider two such possibilities but several other 
options arise. Also, it is useful to provide sufficient syntactic criteria that for 
a formula guarantee absence of abnormal termination. This work is naturally 
related to a research on verification of Alma-0 programs. 



1 Formulas as Programs 27 



Acknowledgements 

We would like to thank Jan van Eijck and David Scott Warren for a number 
of helpful suggestions. 



References 

Apt, K. R. (1996), 'Arrays, bounded quantification and iteration in logic 
and constraint logic programming', Science of Computer Programming 
26(1-3), 133-148. 

Apt, K. R. & Bol, R. (1994), 'Logic programming and negation: a survey', 
Journal of Logic Programming 19-20, 9-71. 

Apt, K. R. & Doets, H. C. (1994), 'A new definition of SLDNF-resolution', 
Journal of Logic Programming 18(2), 177-190. 

Apt, K. R., Brunekrecf, J., Partington, V. & Schaerf, A. (1998), 'Alma-0: 
An imperative language that supports declarative programming', ACM 
Toplas. In press. Available via http : //www . cwi.nl/~apt. 

Barklund, J. & Bevemyr, J. (1993), Prolog with arrays and bounded quan- 
tifications, in A. Voronkov, ed., 'Logic Programming and Automated 
Reasoning — Proc. 4th Intl. Conf.', LNCS 698, Springer- Verlag, Berlin, 
pp. 28-39. 

Clark, K. L. (1978), Negation as failure, in H. Gallaire & J. Minker, eds, 
'Logic and Databases', Plenum Press, New York, pp. 293-322. 

De Schreye, D. & Decorte, S. (1994), 'Termination of logic programs: the 
never-ending story', Journal of Logic Programming 19-20, 199-260. 

Groenendijk, J. & Stokhof, M. (1991), 'Dynamic predicate logic', Linguistics 
and philosophy 14(2), 39-101. 

Hill, P. M. & Lloyd, J. W. (1994), The Godel Programming Language, The 
MIT Press. 

Honsberger, R. (1970), Ingenuity in Mathematics, Random House, Inc., New 
York. 

Jaffar, J. & Lassez, J.-L. (1987), Constraint Logic Programming, in 
'POPL'87: Proceedings 14th ACM Symposium on Principles of Program- 
ming Languages', ACM, pp. 111-119. 

Jaffar, J., Maher, M., Marriott, K. & Stuckcy, P. (1998), 'The semantics of 
constraint logic programs', Journal of Logic Programming 37(1-3), 1-46. 

Jaffar, J., Michayov, S., Stuckey, P. & Yap, R. (1992), 'The CLP(ft) lan- 
guage and system', A CM Transactions on Programming Languages and 
Systems 14(3), 339-395. 



28 



Krzysztof R. Apt and Marc Bezem 



Kluzniak, F. & Milkowska, M. (1997), 'Spill: A logic language for writing 
testable requirements specifications', Science of Computer Programming 
28(2 & 3), 193-223. 

Kowalski, R. (1974), Predicate logic as a programming language, in 'Proceed- 
ings IFIP'74', North-Holland, pp. 569-574. 

Lloyd, J. W. (1987), Foundations of Logic Programming, second edn, 
Springer- Verlag, Berlin. 

Lloyd, J. W. & Topor, R. W. (1984), 'Making Prolog more expressive', Jour- 
nal of Logic Programming 1, 225-240. 

Lobo, J., Minkcr, J. & Rajasekar, A. (1992), Foundations of Disjunctive Logic 
Programming, The MIT Press. 

McAloon, K. & Tretkoff, C. (1995), 2LP: Linear programming and logic pro- 
gramming, in P. Van Hentenryck & V. Saraswat, eds, 'Principles and 
Practice of Constraint Programming', MIT Press, pp. 101-116. 

Shoenfield, J. R. (1967), Mathematical Logic, Addison- Wesley, Reading, Mas- 
sachusetts. 

Tarski, A. (1933), Poj§cie prawdy w jezykach nauk dedukcyjnych, To- 
warzystwo Naukowe Warszawskie, Warszawa. In Polish. English version 
appeared in A. Tarski, Logic, semantics, metamathematics: papers from 
1923 to 1938, Oxford, Clarendon, 1956. 

Troelstra, A. S. & van Dalen, D. (1988), Constructivism in Mathematics, 
Studies in Logic and the Foundations of Mathematics, North-Holland 
Publ. Co., Amsterdam. Two vols. 

Voronkov, A. (1992), Logic programming with bounded quantifiers, in 
A. Voronkov, ed., 'Logic Programming and Automated Reasoning — Proc. 
2nd Russian Conference on Logic Programming', LNCS 592, Springer- 
Verlag, Berlin, pp. 486-514. 

1.9 Appendix 

1.9.1 Proof of the Soundness Theorem 1 

The proof proceeds by induction on the lexicographic ordering on formulas 
which is defined in Definition 4. We carefully go through all inductive cases. 

1. The case of the empty conjunction is trivial. 

2. The first three of the four cases concerning atom A arc obvious. It remains 
to deal with the last case, where atom A is an a-assignment s = t. Then ei- 
ther s or t is a variable which is not a-closed, say s = x with x not a-closed 
and t a-closed. The symmetrical case is analogous. The tree fx = t A tpj a 
is, apart from the root of degree one, identical to Mau{a;/t a }- 
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^ Wau{i/i«} contains a success leaf labelled by (3, then by the induction 
hypothesis V(V' /3 ) is true. Since t is a-closed and (3 extends a U {x/t a }, 
we have (x = t) 13 = (x 13 = t 13 ) = (t a = t a ). The last formula is true, so 
also V((a; = t A ip) 13 ) is true. 

If MaiHz/t"} i s f aue d, then by the induction hypothesis 3(^> aU W*"}) 
is false. Note again that t is a-closed and let x,x\,...,x n be all the 
free variables of ip that are not in the domain of a. (If n = or if x 
does not occur in ip, then the argument is even simpler.) Then we have 
3((x = t A ip) a ) = 3x, Xi, . . . , x n (x — t a A ip a (x, x\, . . . , x n )), which is 
logically equivalent to 3xi, . . . ,x n ip a (t a ,xi, . . . ,x n )) = 3(ip aU ^ x ^ tC "^). It 
follows that 3((x = t A -0)") is also false. 

3. The case of (4>\ V <j>2) A ip uses the distributive law and the induction 
hypothesis applied to the the lexicographically smaller formulas <fi\ A ip 
and (f>2 A ip. 

4. The case of {<p\ A <p2) A ip uses the associativity of conjunction and the 
induction hypothesis applied to the the lexicographically smaller formulas 

(pi and (p2 A ip. 

5. The case of (<pi — > fo) A ip uses the logical equivalence of (pi — ► <p2 and 

V (p2- If formula (pi is a-closed and \(p\ a is failed, then the argument 
is similar to the corresponding case of ^<p> A ip in the next case. The 
other case can be dealt with by applying the induction hypothesis to 
(pi A {(p 2 A ip). 

6. For A ip we distinguish three cases with respect to (p. 

• Formula (p is a-closed and [0] Q is failed. Then, by the induction 
hypothesis, 3(0") is false, so V(-i0 a ) is true. Since [-10 A tpj a is, apart 
from the root of degree one, identical to {ip} a , we apply the induction 
hypothesis to ip. If \ip\ a is failed, then 3(ip a ) is false, and hence 
3((-i0A0) a ) is false. If \ip\ a contains a success leaf (3 then (3 extends 
a and V(0^) is true. Note that V(-i0") implies V(-i0 7 ), for any 7 
extending a, even if is not a-closed. It follows that V((-i0 A ip) 13 ) 
is true. Observe that we did not use the fact that is a-closed. 
So the proof remains valid under the first relaxation described in 
Subsection 1.9.3. 

• Formula is a-closed and [0] Q contains at least one success leaf, 
labelled by an extension [3 of a. The tree [-10 A ip] a consists of a root 
and a failure leaf in this case, so we have to show that 3((-i0A-0) a ) is 
false. By the induction hypothesis, V(0^) is true, and hence V(0") is 
true, as p3 is an extension of a and is a-closed. This implication also 
holds if is not a-closed, provided that (3 does not contain any pair 
x/d where x is free in (p a . Consequently, 3(-i0 a ) is false and hence 
also 3((-i0AVO Q ) is false. Observe that the proof remains valid under 
the second relaxation described in Subsection 1.9.3. 

• In all other cases there is nothing to prove as [->0 A ip\ a has then only 
error leaves. 
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7. For the case 3x <j>Aip, assume that x is fresh with respect to ip and some 
valuation a. It is convenient to make the possible occurrence of x in <f> 
explicit by writing 4>{x) for <j>. Recall that apart form the root of degree 
one \3x <f>(x) Ai/)] a is identical to \<p{x) A^] a . 

Assume \<j)(x) A ip\ a contains a success leaf labelled by (3. By applying the 
induction hypothesis to the lexicographically smaller formula 4>{x) Aip we 
get that V((0(ar) A ■0)' 3 ) is true. It follows that V((3a; (f>(x) A ip) f) ) is true. 
Some minor technicalities have been left to the reader here: the case in 
which x does not occur in the domain of (3 has to be settled by applying 
(Vx 4>(xj) — > (3a; 4>(x)) and not by inferring 3x <j>{x) from </>(ar). 
Assume \<j){x) A^\ a is failed. Then, again by the induction hypothesis, 
3((4>(x) A VO") is false. Since x does occur neither in a, nor in tp, it follows 
that 3((3x <p(x) A ip) a ) is false. ® 



1.9.2 Proof of the Restricted Completeness Theorem 2 

(i) Suppose by contradiction that [</>] Q is not successful. Since this tree is 
determined, it is failed. By the Soundness Theorem 1 3(<j> a ) is false which is 
a contradiction. 

(ii) Suppose by contradiction that [</>] a is not failed. Since this tree is deter- 
mined, it is successful. By the Soundness Theorem 1 for some (3 that extends 
a we have that V((/> /3 ) is true. This is a contradiction since the falsity of 3{cf) a ) 
is equivalent to the truth V(-></> a ) that implies the truth of V(-k^). 



1.9.3 More liberal negation 

In this subsection we show how in Definition 4 the restriction u <f> is a-closed" 
in the case of the tree \-^(j> A tp} a can be relaxed without losing soundness. 
There are basically two such relaxations. 

First, observe by means of example that ->(0 = I Ax = y) is true, indepen- 
dent of the values of x and y. This observation can be generalized as follows. 
If I4>} a is failed, then A fl a can be defined as the tree with a root of 
degree one and [V'lc as its subtree, even if (f> is not a-closed. In the proof 
of the Soundness Theorem we already accommodated for this relaxation, see 
Subsection 1.9.1. 

Second, observe that the dual phenomenon also exists: -i(0 = OVx = y) is 
false, independent of the values of x and y. More generally, if [</>] Q contains a 
success leaf (3 not containing any pair x/d with x free in <f) a 7 then [-■</> A^] a 
can be defined as the tree with a root of degree one and a failure leaf as its 
son, even if </> is not a-closed. 
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1.9.4 More liberal implication 

The first and the second relaxation above can be both applied to the compu- 
tation tree [(0i — > fa) A i>J a , the first to the case in which the tree [0i] a is 
failed, and the second to the case in which the tree [0i] Q contains a success 
leaf not containing any pair x/d with x free in 0". 

There are several other ways to liberalize implication. The aim is to be 
more complete, that is, to yield more determined computation trees (without 
losing soundness, of course). 

As a first example, consider the following computation tree: 

(0 = 1 -»ar = 0) A x < 1, e 



X < 1, £ 



error 

This computation tree is not determined. In contrast, using the equiva- 
lence of (f>i — > (f>2 and V 02 , we get the following computation tree which 
is determined, as it contains a success leaf {x/0}: 

(-.(0 = 1) V x = 0) A x < 1, e 




-i(0 = 1) A x < 1, £ x = A x < 1, £ 



x < 1, £ x < 1, {x/0} 



error { x /0} 

The above example shows that -i0i V 02 can be "more complete" than 
0i ^02, although in some cases the disjunction involves unnecessary branch- 
ing in the computation tree. As an example of the latter phenomenon, com- 
pare the computation trees for (0 = 1 — > = 0) A-0 and (-i(0 = 1) V0 = 0) Atp: 
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(0 = 1 -> = 0) A ip, a (-.(0 = 1) V = 0) A V, a 



i(0 = 1) A V, « 



= A V, a 



As a second example, consider the computation tree \{x = — > x < l] e , 
which is not determined since x = is not £-closed: 



x = — > a; < 1, e 



error 



One would like to have this tree succeed with {x/0}. (The fact that {x/1} 
is also a solution is beyond the scope of our method, since [->(a; = 0)] e is not 
determined.) For this the equivalence of <j>i — > </> 2 and -xj>i V <p2 does not help, 
as the computation tree [-i(x = 0) V x < 1] £ is not determined either: 



i(i = 0)Vi<1, e 



i(x = 0), £ 



error 



X < 1, £ 



error 



Note that the left subtree ends with error since \x — 0] succeeds with 
{x/0}. Liberal negation does not help us any further here. 

In order to have \(x = — > x < l] e succeed it is necessary to transfer the 
valuation of the success leaf of the antecedent, i.e. {x/0}, to the consequent. 
Thus we are tempted to consider -«f>i V {<p\ A 02 ) as a more useful logical 
equivalent of <f>\ — * (f>2 than — >0i V 02- The conjunction (p\/\(p2 has the desired 
effect on the transfer of valuations. Indeed the following computation tree is 
successful: 



1 Formulas as Programs 33 
-.(ar = 0) V (a; = A x < 1), e 




-.(x = 0), s x = A x < 1, £ 

error a; < 1, {x/0} 

WO} 

The combination of -i0i V (0i A 02) for 0i — > 02 with liberal negation 
yields the following computation tree for [((x = A x = 1) — > = 1) A ip] E : 

(-,(x = 0Ax = l)V(x = 0Ax = lA0 = l))AV, £ 




-■(x = A i = 1) A ^ £ x = 0Ax=lA0 = lAV, e 



x = 1 A = 1 A tp, {x/0} 



fail 

Note that the "guard" x = OAx = 1 prevents [h/>] £ to be computed twice, 
even if we replace = 1 by = 0. 

On the other hand, this guard also prevents successful computations, 
such as in [((x = 0Ax=l)^x = 0)Ax< l] e , where the solution {x/0} 
is missed when ->0i V (0i A fa) is used instead of ->0i V fa for fa — > fa. 

The above example shows that -ifa V (fa A fa) is not always "more com- 
plete" than V fa. Thus we are led to consider -ifa V fa V (fa A fa) as a 
third logical equivalent of fa fa, in an attempt to collect all the successes 
of ->fa V fa and -ifa V (0i A fa). Indeed this works for the successes, but not 
for the failures, as the following delicate example shows. 

Consider \fa — > fa\ £ with = V x < 1 for fa and = 1 for fa. Then 
both [-!0il e and \fa\ e are failed, but \fa A fa\ e has an error leaf due to 
the disjunct x < 1. This means that \~^fa V fa\ e is failed, whereas neither 
[-101 V (0i A fa)\ e nor [-ifa V fa V (fa A fa)\ £ is determined. 
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From the above we can draw the following conclusions: 

• Liberal negation is always an improvement for implication; 

• For finding successes, use <j>\ — > 4>2 = ~^<j>i Vi^V^iA^); 

• For failures, use <fii — > <p2 = ~^<j>i V fa- 



